Description of problem:
Routes are not getting created when using hostname without FQDN standard
In OCP 4.6.3 we are able to create routes using hostname "foo" with out the FQDN standard.
But in OCP4.7 we are not able to create the same kind of route. while creating the route getting the below error.
The Route "httpd" is invalid: spec.host: Invalid value: "pipequery": host must conform to DNS 1123 naming conventions: [spec.host: Invalid value: "pipequery": should be a domain with at least two segments separated by dots]
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. oc new-project demo
2. oc new-app httpd
3. oc expose svc/httpd --hostname=foo
The Route "httpd" is invalid: spec.host: Invalid value: "foo": host must conform to DNS 1123 naming conventions: [spec.host: Invalid value: "foo": should be a domain with at least two segments separated by dots]
Route should create with out any warning.
In OCP version 4.6.3 its working but in OCP version 4.7.1 its not working
*** Bug 1957583 has been marked as a duplicate of this bug. ***
This broke half of our internal routes after the upgrade to 4.7.11.
We can't use shortname (non fqdn) DNS entries anymore.
I don't understand the reasoning behind enforcing this globally for all customers without even an option to disable this behavior if needed?
Is there any workaround to disable this check on the ingress controller?
Previously, OpenShift API admitted routes that had invalid DNS names in spec.host, and OpenShift router rejected these routes in some cases. Having a route admitted by the API and rejected by the router caused confusion, and the issue was reported as bug 1896977, which we fixed by modifying the API to reject routes with host names that the router would reject, such as hosts with overly long labels. Unintentionally, we also changed the router to reject routes with host names that the router previously accepted, such as hosts with single labels.
Ideally, the API should reject routes that the router would reject, but the API and router should continue to admit any routes that the router admitted in previous versions of OpenShift.
In order to provide an expedited solution for this new report (bug 1957584), we will revert the fix for bug 1896977. We will need to first revert the change in OpenShift 4.8 and then backport the reversion to OpenShift 4.7. For now, I am setting the target version of this report to 4.8.0, and we will clone the report for the 4.7.z backport.
verified in "4.8.0-0.ci.test-2021-05-26-040433-ci-ln-zdb6fwk-latest" ci image. With the patch revert in place, the unformatted hostnames are now accepted and functional:
oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.ci.test-2021-05-26-040433-ci-ln-zdb6fwk-latest True False 80m Cluster version is 4.8.0-0.ci.test-2021-05-26-040433-ci-ln-zdb6fwk-latest
oc expose svc service-unsecure --hostname=foobar
oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
service-unsecure foobar service-unsecure http None
oc get route service-unsecure -o yaml
- lastTransitionTime: "2021-05-26T05:54:47Z"
We're asking the following questions to evaluate whether or not this bug warrants blocking an upgrade edge from either the previous X.Y or X.Y.Z. The ultimate goal is to avoid delivering an update which introduces new risk or reduces cluster functionality in any way. Sample answers are provided to give more context and the UpgradeBlocker flag has been added to this bug. It will be removed if the assessment indicates that this should not block upgrade edges. The expectation is that the assignee answers these questions.
Who is impacted? If we have to block upgrade edges based on this issue, which edges would need blocking?
example: Customers upgrading from 4.y.Z to 4.y+1.z running on GCP with thousands of namespaces, approximately 5% of the subscribed fleet
example: All customers upgrading from 4.y.z to 4.y+1.z fail approximately 10% of the time
What is the impact? Is it serious enough to warrant blocking edges?
example: Up to 2 minute disruption in edge routing
example: Up to 90seconds of API downtime
example: etcd loses quorum and you have to restore from backup
How involved is remediation (even moderately serious impacts might be acceptable if they are easy to mitigate)?
example: Issue resolves itself after five minutes
example: Admin uses oc to fix things
example: Admin must SSH to hosts, restore from backups, or other non standard admin activities
Is this a regression (if all previous versions were also vulnerable, updating to the new, vulnerable version does not increase exposure)?
example: No, it’s always been like this we just never noticed
example: Yes, from 4.y.z to 4.y+1.z Or 4.y.z to 4.y.z+1
I've added ImpactStatementRequested, per . Once we have an impact statement candidate, can you clear that and set ImpactStatementProposed? If not, no worries, we'll probably notice anyway ;)
> Who is impacted? If we have to block upgrade edges based on this issue, which edges would need blocking?
Customers upgrading from 4.6.z to 4.7.z with routes that have invalid DNS names that the router previously accepted, namely single-label names (i.e., host names without dots).
> What is the impact? Is it serious enough to warrant blocking edges?
Routes with invalid DNS names are now rejected. Applications will be unreachable.
> How involved is remediation (even moderately serious impacts might be acceptable if they are easy to mitigate)?
Admin must changes routes to use valid DNS names or downgrade to an earlier OpenShift release.
> Is this a regression (if all previous versions were also vulnerable, updating to the new, vulnerable version does not increase exposure)?
Yes, from 4.6.z to 4.7.z.
The PR merge made into "4.8.0-0.nightly-2021-05-27-185001" nightly release and the bug has been verified via pre-merge (c#15) but the bot likely did not move it to "verified". Hence manually the appropriate state.
We are not considering this as UpgradeBlocker because we don't know how many clusters are impacted as this information isn't submitted via Telemetry/Insights. However we see more customer cases we might change our stance.
Hi, does this bug require doc text? If so, please update the doc text field.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.